SiteMinder: AdminUI Vulnerability - Apache CXF < 3.6.8 / 4.x < 4.0.9 / 4.1.x < 4.1.3 RCE (CVE-2025-48913)
search cancel

SiteMinder: AdminUI Vulnerability - Apache CXF < 3.6.8 / 4.x < 4.0.9 / 4.1.x < 4.1.3 RCE (CVE-2025-48913)

book

Article ID: 425446

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

CVE-2025-48913 - Apache CXF < 3.6.8 / 4.x < 4.0.9 / 4.1.x < 4.1.3 RCE

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities.

Environment

Siteminder AdminUI: Version 12.8 SP7

Cause

Vulnerability reported on cxf-core-3.3.10.jar

Path              : ../adminui/siteminder/adminui/modules/system/layers/base/org/apache/cxf/main/cxf-core-3.3.10.jar
Installed version : 3.3.10
Fixed version     : 3.6.8

Resolution

SiteMinder is not impacted because of below vulnerabilities of Apache CFX.

It is advised to obtain exception in this case.

Alternatively, upgrade to Siteminder AdminUI version: 12.9 or above to fix the false positive vulnerability.

 

Powered by Wolken Software